Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.
Security Response
Showing posts tagged with Spam
Showing posts in English
Anand Muralidharan | 06 May 2013 08:43:36 GMT

Mother’s Day is celebrated in many countries on May 12 and it’s a day for children, regardless of age, to express their love to their mother by giving her a gift. Spam messages related to Mother’s Day have begun flowing into the Symantec Probe Network. Clicking the URL contained in the spam message automatically redirects the recipient to a website containing a bogus Mother’s Day offer upon completion of a fake survey.

mothers 1.png

Figure 1: Survey spam targeting Mother’s Day

Once the survey is completed, a page is then displayed asking the user to enter their personal information in order to receive the bogus offer.

mothers 2.png

Figure 2...

Eric Park | 03 May 2013 20:14:54 GMT

Last week, Symantec posted a blog on an increase in spam messages with .pw URLs. Since then, spam messages with .pw URLs have begun showing up even more.
 

pw TLD blog update.png

Figure 1. .pw TLD spam message increase
 

Symantec conducted some analysis into where these attacks are coming from in terms of IP spaces. As expected, Symantec observed a large quantity of mail being sent from an IP range and then moving to another IP range. While this is an expected behavior, there was an interesting twist. There were multiple companies (with different names) hosting .pw spammers using the same physical address in Nevada. 

Examining messages found in the Global Intelligence Network, Symantec...

Sammy Chu | 01 May 2013 23:12:31 GMT

For that past several days, Symantec has observed an increase in spam messages containing hexadecimal obfuscated URLs. Hexadecimal character codes are simply the hexadecimal number to letter representation for the ASCII character set. To a computer, hexadecimal is just one out of the many systems for address expressions on the Internet.

The following samples are different hexadecimal representations for http://www.symantec.com.

Hexadecimal only:

http://www.

symantec.co&#x006d

Hexadecimal and ASCII characters:   

(“http” and “com” are in ASCII characters and the...

Ashish Diwakar | 26 Apr 2013 21:25:07 GMT

Contributor: Avhdoot Patil

Phishers have recently gained a lot of interest in football. Various phishing attacks using football were observed in 2012. Phishers have already shown their interest in the 2014 FIFA World Cup, football celebrities, and football clubs. Scam for LIONEL MESSI Fans and Scam for FC Barcelona are good examples of phishers using football celebrities and football clubs. Fraudsters understand that choosing celebrities with a huge fan base offers the largest amount of targets which could increase their chances of harvesting user credentials. In April 2013, the trend continued with phishers using the same strategy. The phishing sites were in French on a free web hosting site.

The phishing sites prompted users to enter their Facebook login credentials on pages designed to...

Eric Park | 26 Apr 2013 17:57:25 GMT

Symantec has observed an increase in spam messages containing .pw top-level domain (TLD) URLs.  While it was originally a country code top-level domain for Palau, it is now available to the general public through Directi, who branded it as “Professional Web”.
 

pw tld blog 1.png

Figure 1. .pw TLD URL spam message increase
 

Looking back at the last 90 days, .pw ranked #16 on our TLD distribution list:
 

pw tld blog 2_0.png

Figure 2. TLD distribution list - last 90 days
 

However, the .pw URL jumps to the fourth spot when looking at the last 7 days:
...

Mathew Maniyara | 24 Apr 2013 18:22:36 GMT

Contributor: Avdhoot Patil

Phishers are not letting go of the chaos in Syria. They are using a common phishing template and modifying the messages. In March, phishers mimicked the same website of an organization in the Arab Gulf States observed in a previous phishing site. But instead of promoting the Syrian opposition, phishers impersonated the UN in a scheme meant to show support for the people of Syria. The phishing pages were in Arabic and the phishing site was hosted on servers based in Dallas, Texas, in the United States.

Just recently, phishers have tried to entice users by condemning the Syrian regime. Now, they are citing the Syrian President, Bashar al-Assad, in particular. The phishing site we observed contained a message in Arabic that asked users if they agreed with condemnation of the Syrian President as a war criminal. The message gave options...

Ashish Diwakar | 22 Apr 2013 18:18:15 GMT

Contributor: Avdhoot Patil

Promotion for Telugu movies has gained momentum in the world of phishing as they continue to be targeted with phishing scams. The phishing site featuring the movie “Brindavanam” is one example. In a more recent case, phishers used a captivating song from the Telugu movie, “Saitan” as bait.
 

Telugu Movies 1 edit.jpg
 

The phishing site displayed a picture from a captivating musical number from the movie “Saitan” starring Telugu actress, Santosh Samrat, and Sri Lankan film and teledrama actress, Akarsha, on the left side of the phishing page. The picture from the musical number was taken from the legitimate movie website. The phishing...

Mathew Maniyara | 18 Apr 2013 15:03:02 GMT

Contributor: Avdhoot Patil

Phishers have already shown interest in the violence that erupted recently in various parts of the Arab world. The phishing attack involving Syria is a good example. Phishers are now taking advantage of the political unrest in Egypt as protests in the country continue. In March 2013, phishers promoted former Egyptian Prime Minister Ahmed Shafik in a phishing site. The phishing site was hosted on servers based in North Carolina, USA. The name “Ahmed Shafik” was used in the domain name of the phishing site.

blurred_website_600px.png

Figure 1. Phishing site designed as a fake official website of Ahmed Shafik

The phishing site was designed to look like an official page of the politician. It...

Samir_Patil | 17 Apr 2013 12:04:02 GMT

Contributor: Christopher Mendes

On the afternoon of April 15, 2013, just when many people were on the cusp of conquering another personal milestone by completing the Boston Marathon, they were hit hard by an act of cowardice. Two bombs struck near the finish line of the Marathon on Monday. Within hours of the bomb blast, large malware-laden spam emails started doing the rounds.

Symantec customers are protected from this attack. Symantec blocks the attack by multi-level detection using Antispam, Intrusion Prevention System technology (IPS), and antivirus (AV). The AV detects the downloaded file as Packed.Generic.402. IPS detects the attack as Web Attack: Red Exploit Kit Website.

The spam email is very simple. The...

Ashish Diwakar | 17 Apr 2013 03:41:34 GMT

Contributor: Avdhoot Patil

Phishers continue to target Indian movies with phishing scams. The phishing site featuring the movie “Bodyguard” is one example, and this month Symantec observed a phishing attack in which phishers used a song from the Telugu movie “Brindavanam” as bait.

image1.jpg

The phishing site displayed a picture of a musical number from the movie “Brindavanam” starring Telugu actresses Samantha and Kajal Aggarwal in the left side of the phishing page. There is also a plot summary of the movie below the image. The phishing page then encouraged users to enter their login credentials stating that, after logging in, they could watch the video. The pictured musical number from the movie was taken from the legitimate movie website. After...